Step by Step Guide: How to Set Up the Microsoft Local Administrator Password Solution (LAPS) | argon systems (2023)

In a company, when setting up new servers or computers, administrators often use a common password for the local administrator account. Administrators often use this account as a back door to install or uninstall software, log in when domain authentication doesn't work, troubleshoot operating system issues, etc. This password is also mostly not complex. We know that some people use passwords known as "Pa$$w0rd" for local administrator accounts. When someone leaves the company, we often change the domain password or deactivate the accounts. However, these local administrator accounts remain the same because changing local account passwords is a complex and time-consuming process.

However, in a typical identity attack, the compromised local administrator account allows attackers to perform pass-the-hash (PtH) attacks and move laterally within the organization, easily compromising more systems. The Microsoft Local Administrator Password Solution (LAPS) addresses this problem by setting a unique complex password for the local administrator account on all domain-joined devices. This local administrator account password defined by Microsoft LAPS is automatically changed according to the password policy. The new passwords are stored in Active Directory and authorized technicians can retrieve the passwords from the Active Directory server when necessary.

We do not require additional licenses or additional servers to implement this solution. This is a free tool. Microsoft LAPS requires aGroup Policy Client Side Extension (CSE)installed on each computer to perform all administration tasks.

Once LAPS is installed,Group Policy Client Side Extension (CSE)installed on each computer updates the local administrator password in the following order.

1. Generate a new password for the local administrator account.
2. Confirm the new password using the password policy settings.
3. Store the password in the Active Directory computer object attributems-Mcs-AdmPwd🇧🇷 This attribute is added to the schematic as part of the LAPS installation process.
4. Save the expiration date of the following password inms-Mcs-AdmPwdExpirationTimeAttribute. This attribute was also added to the schema as part of the LAPS installation process.
5. Change the administrator password.

In the next few steps, I'll show how we can implement Microsoft LAPS. To simplify the implementation process, I have categorized the tasks into the following steps.

1. Check the prerequisites
2. Instalar Microsoft LAPS
3. Update the Active Directory schema
4. Change the permissions of the computer object
5. Assign group permissions for password access
6. Install CSE on computers
7. Create GPO for LAPS configuration
8. Tests

Before we start configuring, we need to check if the current environment supports it.

Check prerequisites

We need to confirm the following before proceeding with Microsoft LAPS setup.

1. Client operating systems– Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 7, Windows 8, Windows Vista, Windows 8.1
2. Active Directory– Windows Server 2003 SP1 o posterior
3. Management tools– PowerShell 2.0 o posterior, .Net Framework 4.0 o posterior

Instalar Microsoft LAPS

The next configuration step is to install Microsoft LAPS. Do that,

1. Download the LAPS package from Microsoft athttps://www.microsoft.com/en-us/download/details.aspx?id=46899
   This link contains several .msi files. You must download the .msi file that corresponds to your configuration. In my demo environment I will useLAPS.x64.msi
2. double clickLAPS.x64.msiProceedings. (You must run this as administrator)
3. The new wizard opens. Click on the home screennextContinue.

Figure 1 - Microsoft LAPS Setup Wizard

4. Then in the next window accept the license agreement and click onnextkeep going.
5. In the resource window, uncheck the default value "AdmPwd GPO Extension' and select 'Management tools🇧🇷 If you also manage the local administrator account of the administration server, you must also "AdmPwd GPO Extension🇧🇷 In my demo setup, I'm installing it on a domain controller, so I don't need it.

Figure 2: Install management tools

6. On the next page, clickinstallto start the installation process.
7. After the installation is complete, clickThe end.

After that, we need the Active Directory schema to support Microsoft LAPS.

Update the Active Directory schema

Microsoft LAPS uses two new attributes for computer objects.

1. ms-Mcs-AdmPwd– Save the administrator password in plain text.
2. ms-Mcs-AdmPwdExpirationTime– Store the password expiration timestamp.

To extend the AD schema,

1. Start PowerShell as Active Directory Schema Manager (I'm using PowerShell 7.3)
2. Then import the PowerShell module with it
   AdmPwd.PS-Importmodul
3. Once the module has been imported successfully, run itUpdate-AdmPwdADSchemato update the schema.

Figure 3: Updating the Active Directory schema

4. After the schema update, we can see these two new attributes on the computer object.

Figure 4: New attributes on the computer object

These values ​​will be updated once we are done with the rest of the configuration.

Change permissions of computer objects

During the password update process, the computer object itself must have permission to write valuesms-Mcs-AdmPwdmims-Mcs-AdmPwdExpirationTimeattributes. To do this, we need to grant permissions.AUTOintegrated account.

Do that,

1. Start PowerShell as a domain administrator
2. run commandSet-AdmPwdComputerSelfPermission -OrgUnit RAServers

Figure 5: Changing Computer Object Permissions

In the above example "RAS servers" is the OU I created for all machine objects.

Assign password access permissions to the group

In my demo environment, I have a security group called "IT admin🇧🇷 I need users in this group to see local admin passwords. Before we assign permissions, let's see who has permissions to see passwords by default.

Do that,

1. Start PowerShell as a domain administrator
2. Then import the PowerShell module with it
   AdmPwd.PS-Importmodul
3. Then, to display the elevated users/groups, we need to run the following command.

Find-AdmPwdExtendedRights -Identity "RAS Servers"

Figure 6: Check extended rights

As we can see above, the advanced permissions only apply to the domain administrators group. It means a local administrator password for a computer object under "RA serverOr, it can only be accessed through a domain administrator account. We need to grant the same permissions for "IT admin"Security group. To this we can run

Set-AdmPwdReadPasswordPermission -Identidad „RAServers“ -AllowedPrincipals „ITAdmins“

4. The above command adds elevated permissions to the ITAdmins security group. We can verify this by runningFind-AdmPwdExtendedRights -Identity „RAServers“ | Florida

Figure 7: Updated Extended Rights

Microsoft LAPS required a client-side extension on each device. Let's see how we can do this in the next step.

Install CSE on computers

There are many different methods that we can use to install an agent on a computer. But in this demo I use the GPO to publish and install the agent on the computers.

1. Log in to the domain controller and start GPMC (Group Policy Management Console)
2. Create a new group policy on OU RAServers
3. Next, right-click on Group Policy and click onto edit
4. After that go toComputer setup | Policies | Software Configuration | software installations
5. Right click on it and selectNew | package
6. The Explorer window opens. Then navigate to a network share that contains the LAPS MSI file. In this demo I use pathdc01TURNS TURNS.x64.msiand this share has read permissions for everyone.
7. Then in the next window select the deployment method as "assigned”

Figure 8: Install agent with GPO

This sends the agents to the computers in the RAServers OU. The installation requires a reboot on the client computer to complete the installation.

Create GPO for LAPS settings

We already have everything ready for Microsoft LAPS. It only remains to configure a new GPO with LAPS settings.

1. Log in to the domain controller and start GPMC
2. Create a new group policy on OU RAServers
3. Next, right-click on Group Policy and click onto edit
4. Go to in the new windowComputer setup | Administrative Templates | SHIFTS🇧🇷 There we see four configurations.

Figure 9: Microsoft LAPS GPO Settings

5. Double click "Enable local administrator password management🇧🇷 Then clickTo allowand clickOKto accept the setting. This will enable the password management feature.
6. After that, double click on "password setting🇧🇷 There we can configure the complexity of the password and the age of the password. Once all settings are done, clickOK.

Figure 10: Microsoft LAPS GPO Settings (Password)

7. In my demo environment, the local administrator account is always "rebeladmin". I need the password for this account for LAPS to manage. To set this up, click "Name of the administrator account to managey". Then enable the setting and set the administrator account name.

Figure 11 - Microsoft LAPS GPO Settings (Administrator Account Name to Manage)

8. Also, I want to make sure that none of the local admin password expiration times are longer than what is set in the policy. To force this, I double-click "Do not allow password expiration time to be longer than required by policy' and enable the policy setting.

This completes the Microsoft LAPS setup process. Once this policy has been applied to the endpoints, we can start testing.

Test

Once the policy has been applied, there are ways to view the local administrator password.

1. Log in to the LAPS management server as a member of "IT admin"Group.
2. litter"user interface LAPS" of programs.
3. Then enter a test computer name and click Search.

Figure 12: Verifying the local administrator password using the LAPS user interface

As we can see, LAPS changed the password of the local administrator account.

4. We can also recover the password using the following PowerShell command:Get-AdmPwdPassword - Computer Name SRV01

Figure 13: Verifying the local administrator password with PowerShell

Note: Be sure to import the AdmPwd.PS PowerShell module before running the above command.

As we can see, Microsoft LAPS automatically changes the local administrator password and writes it to Active Directory. This helps prevent lateral movement during an identity attack.

Learn more:

• User Security - Local Accounts
• Security Assessment: Using Microsoft LAPS
• Download Microsoft LAPS